is it possible to remove files from the folder when session will destroy. am doing that when a user come into the site and he can upload files(images, or textfiles), etc.. with out login into the site. and the files 'll store into my project's folder. now i need to do if the user quits from browser with out login i need to delete all the files what he upload in to project folder. how to do this ?
Thanks in advance.
You can do this by implementing your own session handler. This way, you can define a callback for various events, including the destruction of a session. See this link for more information:
http://www.php.net/manual/en/function.session-set-save-handler.php
Update: The problem with that solution is that you need to implement the rest of the session handling code as well (initialize the session, close the session, read from storage, write, garbage collect). However, the linked page above gives a full example that you can add your functionality to.
It all depends on the business decision.
You can do, Do not save the file in projects folder instead save it somewhere else like 'tmp' folder and save the reference of that file (file path) in session.
by unlink("path") function you can do it in PHP .. but it also depends on the logic that you have used.
if you just want to delete uploaded file then unlink is your solution
use session set save handler to create an event handler for session events.
Sriram,
In PHP, seems the server does not keep track of session on its side. Only time the server knows of a session is expired is when it receives the info about the session cookie in the request. If the cookie is there session exist or else, its expired..
Related
For my Joomla! 3.8+ extension I need to be able to find and delete (unlink) PHP session files (named 'sess_' + session id) which will be stored in the session_save_path, e.g. /tmp. I understand that it is PHP who is storing the session files, i.e. not Joomla! (Joomla! session handler set to 'PHP')
My question: Will a PHP session file that is created through the use of the Joomla! website ALWAYS be read/write accessible by my extension's PHP code which is part of the same Joomla! install?
Addition: I realised later, that I omitted the word 'always' in my question, which I have now added.
Addition: More in-depth explanation about what I am trying to achieve.
As I said I have a Joomla! site, where users can log into.
The issue applies ONLY when Joomla! is configured with Session Handler set to 'PHP' (instead of 'database'). When Session Handler is 'database', there is no problem.
In basic terms, I want to achieve the following (with Joomla! session handler set to 'PHP'):
1> A user opens browser A and logs into the website and Joomla!
records the related session ID plus user ID in a database.
2> The same user opens a different browser B (maybe at a different IP)
and wants to log into the same website.
3> Because user has already logged into the website through browser A,
he/she is not allowed to log in again and will be presented a
clickable link that will destroy all his other sessions, including the
one with browser A (we have recorded the session IDs of all the other
sessions).
A mere session_destroy() in step 3 is just partly doing the trick, because the destroyed session details reappears after a little while at the Joomla! backend and also in the Joomla! session table. Although this does not interfere with the Joomla! front-end, it is not clean and I want to avoid it, to make it fool proof.
By far the best solution is if I could delete the PHP session file (for example in dir /tmp and named 'sess_....'). I have tested this and it worked fine. However... it relies upon always having delete access to the PHP session file (using session_save_path() and unlink($session_file_path)) and this is the basis of the question that I posted.
I found out that the delete of the PHP session file is not always possible; it depends on the providor's PHP config. Since it is a commercial app that I am developing, the process must work on all configs, i.e. including those that do not allow delete access to the session file.
I will continue my search for a solution and will post it here when I found it.
What you want is often possible but it poses a security risk (just think: one user can read session files before knowing who they belong to, so also those of other users), and therefore security-conscious ISPs will endeavour to prevent this.
So even if you manage to do this, nothing assures you that your code isn't going to break should the ISP tighten its security in the future. This makes for some maintenance uneasiness.
A better solution would be to have a secondary table of invalidated session-ids.
Then you write a user plugin hooking the onUserAuthorization and onUserLogout events. You will need onAfterInitialise too.
This hook will check upon initialisation whether the current session ID has been invalidated; if it is, immediate logout is triggered. Otherwise, its timestamp is updated.
On user logout, the current session id is removed from the table and the session destroyed.
At a fresh login, a warning about other sessions being open is issued: if login succeeds, all other sessions for the same user will be marked as invalidated.
As a maintenance task, all entries with a timestamp older than maximum session lifetime may safely be expunged.
That depends on the server settings.
Find the user PHP is using: How to check what user php is running as?
Check the permissons of that user on the folder where the sessions are stored: Unix: How to check permissions of a specific directory?
Change the permissions when needed: https://serverfault.com/questions/105535/how-can-i-set-full-premissions-to-a-user-in-a-specified-dir
Thank you #Nigel and #AgeDeO
By trial and error, I found out that the answer is NO, not always.
By executing the code with a few commercial ISPs, I hit one ISP who did not allow me to delete the PHP session file while it was at its default location. The location was /var/lib/php5.
How to store the files in session variables so that i can use those sessions in next step of form wizard?
like this
$_SESSION['fileupload']=$_FILES['fileupload'];
Store the file on the server when you upload it, then in the session store the filename/path which will allow you to use the file on the next step of your wizard.
Storing the file contents in a session is pointless and will drain resources on the server.
I have a folder outside /application folder of CodeIgniter called myfolder.
My CI application uses Native PHP sessions and it all works fine. CI version is the latest 3.0-development.
I need to access some of the session data in myfolder/myfile.php. If I do a session_start() and then print_r($_SESSION); then I don't see the session set by CI's session driver. I understand why it doesn't show it.
Do you know any method/hack by which I can refer to session data from the CI's session in myfolder. for example by directly including, say, Codeigniter/libraries/session/drivers/session_native.php or any other file?? I just an array from the session data.
Its a trick but do work. Place this little naughty code just before login redirect. And now you can use ci_session with php native session too ,have fun !
<?php
session_start();
echo $_SESSION['ci_session'] = $this->session->userdata['ci_session'];
?>
The current Session_native.php doesn't seem to change any of the built in session library's preference or interfere with how the session data is saved, i think the following should work:
Get a hold of the session id for the session you want to load
call session_id($sessid) with this session id before session_start()
call session_start()
This should work as long as the various ini settings that control the session lib like session.save_path is the same and maybe (if your host have this extension installed) suhoshin settings like suhosin.session.cryptdocroot doesn't interfere.
You can get in cookeis
<?php
print_r($_COOKIE['ci_session']);
Save the session data which you wants to refer from outside the folder into cookies, which may helps you.
So use cookies to refer data from outside the folder and make sure when you set cookies it should be in proper accessible path
So Im a beginner when it comes to PHP so I need a little help. I am trying to figure out when to start the session. Should I do it when the user first registers or what about when they log in?
Also, are sessions 'universal' meaning when I check a session will it work or do I have to include a file to all pages that check if someone has a session?
"Should I do it when the user first registers or what about when they log in?"
You should do it every time you want to get or set any session information. Data stored in the $_SESSION array will only be available after the session is started.
"Also, are sessions 'universal' meaning when I check a session will it work or do I have to include a file to all pages that check if someone has a session?"
Calling session_start() is all you need to create a session. If a session was already created, that session will be used.
just to session_start() once in every file you access the $_SESSION variable. best would be to do it in a central spot. for example a file which is included in every of your applications files.
i have this question. My website is build whereby a user can only be in the member's page if he has login. therefore every page has this,
if (!$_SESSION['userid']) header index.php
Problem is that if i ban the user and the user did not end the session, he will still be allowed to use the site until he end the session and try to login again, and he will be denied due to the change in the status in the database.
I'm thinking that the only way is to delete the physical session file in the server, but i dont know how. Anyone?
What I have done is create a database query in a header file that is included in every page that either pulls the users profile or checks to see if they were banned. If so then I destroy their session.
What you need to do is add in your ajax post the user id, or some other information to identify the specific user posting. This way you can check on the server side if the user is allowed to post with each post, and if not take the necessary action.
Unless you're using the multi-level directory save method, something like this would probably be enough:
unlink(ini_get('session.save_path') . 'sess_' . $bannedSessionID));
check that your server's session files have the 'sess_' prefix, though. It could possibly be overridden somewhere. But in any case, by default all the session files are in a single directory (/tmp unless they've been moved) and can be opened/read/written/deleted by the webserver (as they have to be)